Practical Usage of Passive DNS Monitoring for E-Crime Investigations

Transcription

1 Practical Usage of Passive DNS Monitoring for E-Crime Investigations Rod Rasmussen President & CTO, Internet Identity rod.rasmussen <isat> internetidentity.com

2 Topics Passive DNS overview Use Cases Challenges The future

3 Passive DNS Replication 2004 Florian Weimer at the University of Stuttgart Monitor DNS queries and responses near recursive servers Physical network location with visibility Filter down to just the DNS queries/responses Know what is being asked for and what the responses are being received back from authority servers Put it in a database Find out all kinds of interesting stuff!

4 Queryable PDNS Collections BFK (Florian s) SIE (ISC) DNSParse (Bojan) CERT-EE One Ring to Rule Them All? passive-dns-query-tool

5 Inside vs. Outside Where do we monitor from? PDNS Sensor Inside Outside Recursive Server Authoritative Server

6 Inside Monitoring Get all resolution attempts (minus stub caching) Good for watching for volume spikes Volume can be quickly overwhelming Know exact machine(s) making requests Can track down infections to the source Privacy concerns (ISPs)

7 Outside Monitoring See aggregate numbers of resolutions for the organization, ISP etc. Easier data management Lose volume information to caching Privacy and internal security concerns largely handled

8 SIE Model Source: ISC

9 Mapping Criminal Infrastructure Source: ISC

10 Tracking Down a Spam From: Claire Newell anarchdd@yeonil.net Subject: Fwd: Date: April 4, :44:06 PM PDT

11 Whois pillsgy.com??? Domain Name: PILLSGY.COM Registrar: IPNIC, INC. Whois Server: whois.myorderbox.com Referral URL: Name Server: NS1.DNSPLAC.COM Name Server: NS2.BEZZDNS.RU Status: clienttransferprohibited Updated Date: 03-apr-2011 Creation Date: 18-mar-2011 Expiration Date: 18-mar-2012 Registrant: Koshil Igor Igor Koneva str Koneva str Omsk Omsk, RU Tel Fax Creation Date: 18-Mar-2011 Expiration Date: 18-Mar-2012 Domain servers in listed order: ns1.dnsplac.com ns2.bezzdns.ru Administrative Contact: Koshil Igor Igor Koneva str Koneva str Omsk Omsk, RU Tel Fax

12 Oh Goodie V1agr4, eh.

13 Passive DNS Doesn t Look Bad IP search: Found 2 records Host/Domain Name First Seen IP ASN BGP Netblock pillsgy.com :43: /12 pillsgy.com :28: Nameserver search: Found 4 records Nameserver First Seen ns2.bezzdns.ru :43:27 ns1.dnskt.com :43:27 ns1.ezydomain.com :28:22 ns2.ezydomain.com :28:22

14 Let s Look at That IP inetnum: netname: NINBO-LANZHONG-LTD country: CN descr: Ninbo Lanzhong Network Ltd descr: admin-c: TD209-AP tech-c: CS64-AP status: ASSIGNED NON-PORTABLE changed: auto-dbm@dcb.hz.zj.cn mnt-by: MAINT-CN-CHINANET-ZJ-SX source: APNIC role: CHINANET-ZJ Shaoxing address: No.9 Sima Road,Shaoxing,Zhejiang country: CN phone: fax-no: anti-spam@mail.sxptt.zj.cn trouble: send spam reports to antispam@mail.sxptt.zj.cn trouble: and abuse reports to anti-spam@mail.sxptt.zj.cn admin-c: CH109-AP tech-c: CH109-AP nic-hdl: CS64-AP mnt-by: MAINT-CHINANET-ZJ changed: master@dcb.hz.zj.cn source: APNIC person: Taichun Du nic-hdl: TD209-AP anti-spam@mail.sxptt.zj.cn address: Shaoxing,Zhejiang.Postcode: phone: country: CN changed: auto-dbm@dcb.hz.zj.cn mnt-by: MAINT-CN-CHINANET-ZJ-SX source: APNIC

15 Jackpot! Your query returned 438,394 records. First Seen Host/Domain 3/23/2011 8:59 0.2k.medicsy.com 3/23/ :30 0.2l60.medicsy.com 3/23/ : medicdm.com 3/23/ : medicsy.com 4/4/ : topmedicb.ru 4/4/ : t.medicsy.com 3/21/2011 0:00 0.6fj0.medicsy.com 1/27/ :26 0.bsirr.doctorgco.ru 1/26/ :42 0.bsirr.sodoctorg.ru 1/27/2011 8:44 0.bsirr.sudoctorg.ru 3/23/2011 8:59 0.cf7ts7.topmedicb.ru 3/23/ :30 0.cf9.topmedicb.ru 3/23/ :19 0.ct.medicsy.com 3/23/ :42 0.cu60.medicsy.com 3/24/2011 2:52 0.d.medicsy.com First Seen Host/Domain 3/21/ :43 candmedic.ru 3/19/ :59 candoctor.ru 3/25/ :14 candx.wke.asterwase.net 2/25/ :58 cazht.medicinexi2.ru 3/29/ :12 cazkt.extralegallow.org 1/28/2011 3:43 cazuy.pharmacyrx38.com 3/26/2011 6:16 cb.r.10yearsextrces.net 3/23/2011 8:16 cb6kf.v.topmedicb.ru 3/23/2011 9:25 cb6n8.8a.medicsy.com 3/23/ :54 cb6s.gy.topmedicb.ru 3/23/ :35 cb6zy.5v2rt.medicsy.com 3/23/ :46 cb8.t.medicsy.com 3/24/2011 3:18 cba8g.st9al.topmedicb.ru 2/1/ :36 cbaaf.rxshopds9.com

16 How About a Nameserver? Found 26 records First Seen Domain 4/4/2011 1:51 bljxpills.ru 4/3/ :12 brjxpills.ru 4/4/ :51 caxrpills.com 4/3/ :09 chxrpills.com 4/3/ :33 dnsplac.com 4/3/ :45 doctorje.com 4/4/ :47 doctorod.com 4/3/ :20 doctorrg.com 4/3/ :25 doctorrl.com 4/3/ :41 fajxpills.ru 4/4/ :58 gejxpills.ru 4/4/2011 9:32 medicaqap.ru 4/4/2011 8:01 medicaqar.ru First Seen Domain 4/4/ :02 medicaqch.ru 4/4/ :14 medicaqci.ru 4/3/ :15 medicaqee.ru 4/3/ :18 medicaqen.ru 4/3/ :18 midiclxia.ru 4/3/ :38 midiclxic.ru 4/3/ :46 midiclxme.ru 4/3/ :15 midiclxnf.ru 4/3/ :51 midiclxto.ru 4/4/ :23 pillsin.com 4/3/ :26 pillsll.com 4/4/ :56 rafpills.com 4/3/ :19 stpills.com

17 Tracking Malware C&C s Once you know a C&C IP, you can start tracking down probable C&C and rendezvous domains Zeus is a great example typically controlled via a series of domains Let s take data from ZeusTracker and see if we can improve detection using PDNS

18 ZeusTracker

19 Zeus C&C IP Located in Romania ZeusTracker has 6 domains on it

20 Passive DNS Expands the Story 13 Records on 12 distinct domains double the action for blocking and remediation

21 Even more to find Checking one of the new domains for this IP, we find 2 new IPs from topupdates.ru Turns out several of the new domains just weren t seen on the first IP, but were spotted later. PDNS would greatly improve detection speed

22 Fast-Flux Detection PDNS an excellent way to find new FFLUX domains and hosts Set-up traps on new (or old) domains/hosts and watch for tell-tales Multiple IPs across ASNs Lots and lots of hostnames (wildcarding) Was particularly good for ROCK/Avalanche Not in vogue as much these days

23 FFLUX Example Suspected Avalanche Domain - platinumalbumm.com Detected via flux behavior 31/8/2010 Found 175 records First Seen IP ASN BGP Netblock :03: / :06: / :53: / :40: / :30: / :33: / :13: / :23: / :41: / :56: / :39: / :11: / :53: /14

24 Bullet Proof Hosting PDNS allows you to explore entire hosting locations to tie criminal activities together Search CIDR blocks and correlate data Can t kill a pharma shop or replica knock-offs? Go after them for phishing and malware hosting Better chance of de-peering with nastier stuff

25 Monitoring Your Infrastructure PDNS is a great tool for alerting you of unauthorized activities with your names and your IP space Take-over of infrastructure hacking/hijacking Compromises of machines for hosting malicious content or activities The latest marketing campaign you weren t told about Domain name expirations

26 Finding Bots on Your Network Map out IP infrastructure and set-up standard scans/ alerts based on new hostname mappings appearing Filter out known good domains/hosts Filter known anomalies DNS tunneling services SonicWall router responses Other bizarre chaff that shows up ISPs may want to filter Dynamic DNS services maybe not depending on hostname

27 Sample Network Scan Let s look at a large bank range ( /12) 1751 Records we ve seen in past 18 months Lots of standard junk 918 DNS Tunneling hosts b9d2183d19a87a6776d09df644df5dab898a.1.ziyouforever.com 830 SonicWall hosts c52e682d griddnsd.global.sonicwall.com

28 Three Records to Examine No bank hosts showing up good, it s a non-public network space! uluqwovl.info -> pnncfoxrtfz.ekuxejqw.com -> midvalleydental.net -> First one is just plain weird no ties to anything else and not operative Third is odd, until you look at this: Dig midvalleydental.net -> Dig ->

29 pnncfoxrtfz.ekuxejqw.com Whois looks bad Registrar: TODAYNIC.COM, INC. Creation Date: 05-mar-2011 Nameservers: N588.COZVEND.BIZ, N776.COZVEND.BIZ On some spam lists, not working now Rotated IPs

30 IPs Moving All Over Found 9 records First Seen IP ASN BGP Netblock :35: / :25: :35: :35: / :25: / :25: / :35: / :25: / :25:

31 Nameservers Look Suspicious Found 60 records First Seen Domain :48:27 adubapot.com :23:34 afohilim.com :23:08 afypisur.com :19:44 ahamifej.com :20:28 ajupymyx.com :22:27 amqzewit.com :21:54 apimywax.com :57:23 arohuhuv.com :22:44 atasyzel.com :49:14 avqfugqv.com :08:54 awyxufel.com :56:33 azyjyroc.com :55:39 ekqtagiw.com :50:51 ekuxejqw.com :46:49 elqvizyk.com :59:27 epofapeb.com First Seen Domain :59:48 itipytob.com :41:14 ixohoren.com :37:47 izetqmab.com :49:35 ocesytaw.com :36:02 ofyruwqb.com :29:55 ogqhejej.com :23:14 ogycovqb.com :26:55 omizodav.com :48:34 orynypoh.com :45:31 osodigaw.com :49:18 owapupih.com :59:04 oxaxesuz.com :09:20 qdopqcqh.com :47:49 qdulyjqd.com :49:01 qfatunam.com :38:07 qgucipyl.com

32 pnncfoxrtfz.ekuxejqw.com Google cache of this one oops!

33 pnncfoxrtfz.ekuxejqw.com Following that link sure not our bank!

34 Data Exfiltration Same techniques can be used to spot data exfiltration from your networks Google found Aurora via DNS logs, PDNS works from the outside or in conjunction with inside monitoring position without the overhead of DNS log parsing Night Dragon case well, not so much didn t see the hosts in the main passive feed (we got them from a separate source) Assumption is that they used the hacked company s own recursive servers for resolution to the data dump domains

35 RSA Breach Several reported domains/subdomains AGOOGLE.IN ALBERTSTEIN.DDNS.US ALVINTON.JETOS.COM BILLGATES.ITSAOL.COM BUFFET.BBSINDEX.COM BUFFET80.ITSAOL.COM DOMIKSTART.HOPTO.ORG FOOTBALL.DYNAMICLINK.DDNS.US FREE NET FTP.XMAHOME.OCRY.COM GOOD.MINCESUR.COM OBAMA.SERVEHTTP.COM PRC.DYNAMICLINK.DDNS.US SAFECHECK.ORGANICCRAP.COM SMTP.DYNAMICLINK.DDNS.US SUPERAROUND.NS02.BIZ UP82673.HOPTO.ORG

36 RSA Breach Prelim PDNS Info A few of those domains appear to be outliers Attacks may have lasted months Most IPs for activities were in China, a few in South Korea and India, and at least one in the US We found several unreported ftp hostnames that point straight to possible exfiltration of data ;; first seen: :46: ftp.alvinton.jetos.com. IN A CHINA ;; first seen: :51: ftp.alvinton.jetos.com. IN A CHINA

37 Detecting Domain Hijacking Set-up watches for changes to nameservers and/or IP addresses on critical hostnames under a domain. Can combine with active DNS monitoring of critical assets Changes to ASN s used by those hosts or to known or suspicious neighborhoods can be alerted for investigation Can use PDNS database to determine if the event is specific or widespread (e.g. registry hack, domain account take-overs)

38 Bangladesh gets p0wned Through active DNS monitoring, we spotted microsoft.com.bd being moved onto malicious looking nameservers and an odd IP address Sure enough domain name hijacking!

39 PDNS Tells the Bigger Story A lot more victims = Registry hack Looks like cross-site scripting attack against BD NIC Found 4 records Nameserver First Seen Host localh0st1.avjournal.com :51:15 google.com.bd localh0st1.avjournal.com :53:36 hsbc.com.bd localh0st1.avjournal.com :26:00 music.com.bd localh0st1.avjournal.com :28:19 aloashbei.com.bd Found 3 records! Host/Domain Name!First Seen!!IP!!!!ASN!!BGP Netblock!! hsbc.com.bd" " :38:46 " " "9221 " /24 "" hsbc.com.bd" " :32:31 " " "40244 " /19 "" hsbc.com.bd" " :49:08 " "9221 " /24 ""

40 Take-over of legit DNS Bad guys like to use DNS but know their own domains can get blocked/shut-down Great leverage if you can compromise the DNS of a real site Can t (or shouldn t) block/shut-down legit domain Site owner may be unaware of compromise Can do in conjunction with site or just the DNS

41 Domain DNS Take-over Vectors Control all aspects website/dns/ Registrar/hosting combo accounts Cpanel or other management tools Site server looks guilty as evil content present Control the DNS Registrar or DNS provider take-over P0wn the nameserver IPs for legit and illegitimate servers differ

42 Legit website

43 Hitchhiker Site bnkofamericasityk1eybknofamerica/bnkofamericasitykeybknofamerica/signon.php?section=signinpage&update=&cookiecheck=yes&destination=nba/signin

44 PDNS tells a story Found 3 records in Passive DNS IP Address ASN BGP Netblock First Seen Host/Domain / :06:36 bankofamerica.com.sitekey.securepages.infoupdate.verifyinfo.townhouseflorida.com / :19:20 bankofamerica.com.townhouseflorida.com / :40:30 townhouseflorida.com Note that a wildcard DNS record for a domain can Be exploited similarly if you have compromised the site. Thanks Peter!

45 Disaster Scams Katrina, Indian Ocean Tsunami, Haiti, Japan Disaster Scams set-up to solicit funds Lots of real efforts too careful analysis needed PDNS a great tool for finding quickly and in any cctld or subdomains Generate lists for automated and human analysis

46 Japan Disaster Tracking Sample Set-up alerts for likely string combos Japan & Tsunami, Sendai & Earthquake, etc. Whitelists and automation to block known sites and find likely candidates Human Review of likely ones

47 donations-help.webs.com

48 Same Techniques for Brands Search for terms, typo variants Group results and drill in on potential offenders Set-up alerts on new hits for potential nastiness The following alerts for "google" were generated on at 23:35. Search terms: google ggoogle.de goodgoogle346.cn google-secrets.com googlematt.com Build cases based on large corpus of offender data

49 Need a Zone File? If it s being used, you can get it via PDNS I ve solved my cctld access problems! Subdomain resellers aren t a major issue any more Can use the info to understand hostname behavior and properly categorize hosting companies, DNS providers and the like Would have REALLY helped ICE when they shut-down mooo.com to have done this kind of analysis (besides just looking at their homepage)

50 Sample Zones.TK 1 million plus Mooo.com 35K records Just what is stuff like 0wrr6d267.mooo.com for anyway? ibm.com 947 records facebook.com - Just kidding! A bazillion records Not 100%, but pretty good coverage

51 Challenges/Pitfalls/Gotchas Not everything is perfect in PDNS land False-positives due to shared hosting People treating the DNS badly DNS Tunneling Facebook Akamai and CDN s Domain parking sites

52 The Future

53 More Sensors Needed Help!

54 Use of caching DNS for botnets 1) Victim PC is infected 2) Attacker registers a domain or subdomain 3) Attacker encodes malware binary in a set of CNAME RRs in the authoritative zone with long TTLs 4) Attacker queries for malware RR s using popular open recursive servers and those servers cache the responses 5) Attacker removes domain used from delegation 6) Malware on victim PC uses DNS queries to the same popular open resolvers to acquire code 7) Removal of authoritative doesn't mitigate threat because caches of CNAME RRs persist well beyond remediation Paper by Rodriguez and Hidalgo -

55 Automating Detection Two interesting proposals, Notos, EXPOSURE Notos Dynamic Reputation System for DNS Build reputation and use on new hosts EXPOSURE Feature Based System for PDNS Use training on features to tag new hosts

56 Notos

57 Notos

58 EXPOSURE

59 Questions?

60 Practical Usage of Passive DNS Monitoring for E-Crime Investigations Thanks! Rod Rasmussen President & CTO, Internet Identity rod.rasmussen <isat> internetidentity.com